« Sysinternals » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(4 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
[[Category:Logiciels]]
[[Category:Hack]]
= Utilisation =
= Utilisation =
[https://docs.microsoft.com/en-us/sysinternals/downloads/ Sysinternals Utilities Index]<br />
[https://docs.microsoft.com/en-us/sysinternals/downloads/ Sysinternals Utilities Index]<br />
Ligne 6 : Ligne 8 :
</kode>
</kode>


= PsExec =
= [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec PsExec] =
Permet d'exécuter un programme en tant qu'un autre utilisateur.
Allow to execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally.
<kode lang='ps'>
<kode lang='ps'>
psexec -i -u "nt authority\network service" cmd.exe
# run an interactive command prompt on a remote system
psexec -i \\remote cmd
 
# copy the program test.exe to the remote system and execute it interactively
psexec -i \\remote -c test.exe
 
# run as the remote admin
psexec \\remote -u remote\administrator -p adminpass ipconfig
# if -p is omited, it prompts you to enter the password
# the password is sent in clear text from the local system
 
# run regedit on the local system in the System account
psexec -sid c:\windows\regedit.exe
# -s run in the System account
# -i interactive: useful only when you want to run a GUI application on the local system where you can interact with it
# -d don't wait for process to terminate (non-interactive)
</kode>
</kode>
* [https://www.itprotoday.com/windows-server/psexec-explainer-mark-russinovich PsExec Explainer by Mark Russinovich]


= [https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete SDelete] =
= [https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete SDelete] =
Ligne 57 : Ligne 76 :


= [https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx Junction - lien symbolique] =
= [https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx Junction - lien symbolique] =
{{warn | Preferably use [[Batch_commandes#MKLINK|mklink]]}}
<kode lang=dos>
<kode lang=dos>
REM junction <link> <target>
REM junction <link> <target>
Ligne 62 : Ligne 82 :
REM path has to be absolute
REM path has to be absolute
</kode>
</kode>
* [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink mklink]
* [https://superuser.com/questions/343074/directory-junction-vs-directory-symbolic-link directory junction vs directory symbolic link]


= Process Monitor =
= Process Monitor =
Ligne 88 : Ligne 106 :
Permet de lister toutes les dll chargées par un processus.<br/>
Permet de lister toutes les dll chargées par un processus.<br/>
Listdlls.exe [Nom de l’exécutable ou PID]
Listdlls.exe [Nom de l’exécutable ou PID]
[[Category:Windows]]
[[Category:Logiciels]]
[[Category:Hack]]

Dernière version du 7 février 2022 à 18:59

Utilisation

Sysinternals Utilities Index
Installer dans C:\Program Files\SysinternalsSuite et l'ajouter au PATH

Ps.svg
choco install sysinternals

PsExec

Allow to execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally.

Ps.svg
# run an interactive command prompt on a remote system
psexec -i \\remote cmd

# copy the program test.exe to the remote system and execute it interactively
psexec -i \\remote -c test.exe

# run as the remote admin
psexec \\remote -u remote\administrator -p adminpass ipconfig
# if -p is omited, it prompts you to enter the password
# the password is sent in clear text from the local system

# run regedit on the local system in the System account
psexec -sid c:\windows\regedit.exe
# -s run in the System account
# -i interactive: useful only when you want to run a GUI application on the local system where you can interact with it
# -d don't wait for process to terminate (non-interactive)

SDelete

Powershell.svg
sdelete64 -s -p 3 .\dossier
# -s suppression des sous-dossiers
# -p 3 number of passes (default 1)

# Deletes the free disk space on drive C: securely.
sdelete64 -c c:
# Zeroes the free disk space of drive c:
sdelete64 -z c:
# The -z parameter overwrites the free disk space with zeroes instead which is faster.
Mettre un \ à la fin des chemins pose problème

Ajouter au menu contextuel

add.reg
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\SDelete]
@="Secure delete"
"NoWorkingDirectory"=""
"Icon"="imageres.dll,-5320"

[HKEY_CLASSES_ROOT\*\shell\SDelete\Command]
@="C:\ProgramData\chocolatey\bin\sdelete64.exe -p 3 \"%1\""

[HKEY_CLASSES_ROOT\Directory\shell\SDelete]
@="Secure delete"
"AppliesTo"="NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")"
"NoWorkingDirectory"=""
"Icon"="imageres.dll,-5320"

[HKEY_CLASSES_ROOT\Directory\shell\SDelete\command]
@="C:\ProgramData\chocolatey\bin\sdelete64.exe -p 3 -s \"%1\""
remove.reg
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\*\shell\SDelete]

[-HKEY_CLASSES_ROOT\Directory\shell\SDelete]

Junction - lien symbolique

Preferably use mklink
Dos.svg
REM junction <link> <target>
junction C:\Lien-Symbolique "C:\Mon Dossier"
REM path has to be absolute

Process Monitor

Permet de lister toutes les opérations effectuées par un processus: accès aux fichiers et au registre.
L'utilisation des filtres permet de réduire les (nombreuses) données affichées. Un filtre « Include » exclut toutes les lignes ne correspondant pas au test.

Surveiller l'activité du disque

Après avoir collecté des données → Tools → File Summary

  • C:\Windows\SoftwareDistribution\Download → maj Windows

Handle

Permet de lister les processus utilisants un fichier.

Dos.svg
handle "chemin\fichier"

REM lancement d'un terminal en mode administrateur, puis éxecution de handle
Elevate64 cmd /k handle "chemin\fichier"
Ce programme nécessite des droits administrateur, il faut donc le lancer depuis un terminal possédant les droits administrateur.
Cocher "Compatibility → Run this program as an administrator" ouvre un second terminal et ne permet pas de lire le résultat.

ListDLLs

Permet de lister toutes les dll chargées par un processus.
Listdlls.exe [Nom de l’exécutable ou PID]